Security at Flourish
Your trust is at the center of what we do and why security is a top priority for us. Our products, processes and systems are designed to protect our users and data.
We have a dedicated InfoSec team that assists with customer security questions as well as ensuring the business remains ISO27001 compliant. They also coordinate third party penetration tests so the platform remains secure.
- ISO27001 certified Flourish is certified to the internationally recognized info-security standard ISO27001 by the British Standards Institute.
- Encryption We keep visualizations secure in transit and at rest. In transit, visualizations are only accessible via TLS/SSL and at rest, visualizations are encrypted with AES256.
- Staged releases We only release software after qualifying it in development and staging environments
- Data security Our people and systems can only access the data they need to do their job and we store your projects with cloud providers who have top-tier physical security controls.
- Secure development practice We peer review and test our code prior to release, including manual and automated checks for security issues.
- Hosted in Europe Our cloud service provider is Amazon Web Services (AWS) Western Europe, and customer Projects are stored in the EEA.
Our Enterprise plan offers powerful security features including:
- Password policies Set your own password policy, eg. required combinations of character types.
- Enforce two-factor authentication Make sure everyone in your team is using 2FA.
- Approval policies Determine who, if anyone, can publish and whether they need approval.
- Session duration control Specify the expiry time for user's session cookies across your company.
- InfoSec vendor process Access to our InfoSec team and Whistic profile
- SSO Manage your users via SAML-based SSO.
Frequently asked questions
Unpublished projects are only ever visible to you or your colleagues unless you specifically publish them publicly. On an Enterprise account, you can also choose to publish behind a password and even restrict who, if anyone, is allowed to publish via approval workflows.
Flourish is ISO27001-certified by the British Standards Institute. This certification means that, as an organization, we have the people, processes and systems in place to effectively identify, assess, treat and monitor our information security risks. It means that we aim to have security built into every facet of our operations, and that we strive to improve our security posture through a process of continuous improvement.
Yes. Our security team is comprised of dedicated security professionals who work across the company to ensure our product, platforms and operations are secure.
Yes. Our ISO27001 certification requires us to have annual external audits of our information security management system and security controls.
We conduct a rolling security review with a third-party specialist, Tradecraft. At least once a year, they perform a full white-box penetration test of our platform.
We have also partnered with BugCrowd to run a public bug bounty program, providing continuous crowdsourced security testing. Please feel free to let us know of any bugs you encounter by emailing us at firstname.lastname@example.org.
Flourish platform is hosted in the cloud in an encrypted database. All customer Projects are hosted by AWS and stored within the EU in Dublin, Ireland.
Our systems are only accessible by people and services who need it, using the principle of least privilege. The Flourish database is encrypted using AES256 which means that your data is unreadable by someone with access to our AWS environment.
Flourish is registered with the ICO in the UK but has users in many countries that each have their own laws about data privacy and security.
Our legal team continually monitors the evolving regulatory landscape to identify changes and determine what action Flourish needs to take to uphold our obligations in each jurisdiction.